Newbie question on X509
Hi all, I am trying to display the X509 subject name using example such as, x=load_cert(infile,informat); if(x==NULL) goto end; X509_NAME_oneline(X509_get_subject_name(x), buf, 256); I want to know how many bytes are there before the subject field in the certififcate. Is there any openssl function to get the number? Kiyoshi, Kiyoshi Watanabe __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
problem in s_client -- comments on fix?
I mentioned this to Ulf a while back when I found it. I tried parsing the output of s_client with some perl code I was writing, and I found that the connection information (cipher selection, certificate chain if you ask for it with -showcerts) gets mixed up with the HTTP response. I tracked it down to buffering problems -- some output is going via the BIO interface and other output is going direct to stdout (I think). The result is kind of random display of the connection information mixed in with the HTTP response. I temporarily patched it by putting a BIO_flush(bio) at the end of the print_stuff function in s_client.c. I also put immediately preceding that : BIO_printf(bio,---end---\n); /* use \n---end---\n as separator */ otherwise I couldn't easily recognise the boundary between HTTP response and content. Opinions on the correct thing to do? It seems that it might be better to put connection information on stderr where it can be unambigously separated. The downside of that is that there are cert verification error messages that get sent to stderr which would then get mixed with the connection information. Thoughts? Adam __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: problem in s_client -- comments on fix?
On Sun, Oct 14, 2001 at 04:01:23PM +0100, Adam Back wrote: I tried parsing the output of s_client with some perl code I was writing, and I found that the connection information (cipher selection, certificate chain if you ask for it with -showcerts) gets mixed up with the HTTP response. What do you want to achieve? OpenSSL s_client is a test and demo program. If you want to seperate normal I/O and the connection information, the correct solution would be to use a seperate channel for the information. I didn't have a look into stunnel for quite some time. Maybe it is better suited to your needs, as it is intended for application and not for testing? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: problem in s_client -- comments on fix?
Don't worry about the application -- it was a thow-away proof of concept thing, already forgotten. You're probably right there are otherways to do it. I did consider stunnel briefly but there was some reason s_client fit better into the existing perl glue code I had. Either way though s_client's behavior is wrong, because even visually you can't _find_ the connection info mixed in with the HTTP response; my post was just to follow up having found the bug to fix the problem. The note about the application was just background of how I found it. For s_client's main purpose (command line manual testing), perhaps just the BIO_flush(bio) is all that's needed. Adam On Sun, Oct 14, 2001 at 05:33:49PM +0200, Lutz Jaenicke wrote: What do you want to achieve? OpenSSL s_client is a test and demo program. If you want to seperate normal I/O and the connection information, the correct solution would be to use a seperate channel for the information. I didn't have a look into stunnel for quite some time. Maybe it is better suited to your needs, as it is intended for application and not for testing? __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: problem in s_client -- comments on fix?
On Sun, Oct 14, 2001 at 04:43:30PM +0100, Adam Back wrote: Either way though s_client's behavior is wrong, because even visually you can't _find_ the connection info mixed in with the HTTP response; my post was just to follow up having found the bug to fix the problem. The note about the application was just background of how I found it. For s_client's main purpose (command line manual testing), perhaps just the BIO_flush(bio) is all that's needed. Then please allow another statement: * I personally find s_client to be more or less unreadable :-( * OpenSSL 0.9.7 should be coming out in the very near future and I would not expect anything to change on this before 0.9.7 (and I am not aware of any statements to put work into an s_client cleanup anyway). * If you have any patch to submit that will improve the behaviour of s_client you are most welcome to post it to this list :-) Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[STATUS] OpenSSL (Sun 14-Oct-2001)
OpenSSL STATUS Last modified at __ $Date: 2001/09/25 11:01:14 $ DEVELOPMENT STATE o OpenSSL 0.9.7: Under development... o OpenSSL 0.9.6b: Released on July 9th, 2001 o OpenSSL 0.9.6a: Released on April 5th, 2001 o OpenSSL 0.9.6: Released on September 24th, 2000 o OpenSSL 0.9.5a: Released on April 1st, 2000 o OpenSSL 0.9.5: Released on February 28th, 2000 o OpenSSL 0.9.4: Released on August09th, 1999 o OpenSSL 0.9.3a: Released on May 29th, 1999 o OpenSSL 0.9.3: Released on May 25th, 1999 o OpenSSL 0.9.2b: Released on March 22th, 1999 o OpenSSL 0.9.1c: Released on December 23th, 1998 RELEASE SHOWSTOPPERS o BIGNUM library failures on 64-bit platforms (0.9.7-dev): - BN_mod_mul verificiation (bc) fails for solaris64-sparcv9-cc AVAILABLE PATCHES o IA-64 (a.k.a. Intel Itanium) public-key operation performance patch for Linux is available for download at http://www.openssl.org/~appro/096b.linux-ia64.diff. As URL suggests the patch is relative to OpenSSL 0.9.6b. IN PROGRESS o Steve is currently working on (in no particular order): ASN1 code redesign, butchery, replacement. OCSP EVP cipher enhancement. Enhanced certificate chain verification. Private key, certificate and CRL API and implementation. Developing and bugfixing PKCS#7 (S/MIME code). Various X509 issues: character sets, certificate request extensions. o Geoff and Richard are currently working on: ENGINE (the new code that gives hardware support among others). o Richard is currently working on: UI (User Interface) UTIL (a new set of library functions to support some higher level functionality that is currently missing). Shared library support for VMS. Kerberos 5 authentication Constification OCSP NEEDS PATCH o All 'openssl' subprograms taking '-des' and '-des3' options should include AES support (0.9.7-dev) o 'openssl speed' should include AES support (0.9.7-dev) o apps/ca.c: Sign the certificate? - n creates empty certificate file o OpenSSL_0_9_6-stable: #include openssl/e_os.h in exported header files is illegal since e_os.h is suitable only for library-internal use. o Whenever strncpy is used, make sure the resulting string is NULL-terminated or an error is reported o OpenSSL STATUS is never up-to-date. OPEN ISSUES o The Makefile hierarchy and build mechanism is still not a round thing: 1. The config vs. Configure scripts It's the same nasty situation as for Apache with APACI vs. src/Configure. It confuses. Suggestion: Merge Configure and config into a single configure script with a Autoconf style interface ;-) and remove Configure and config. Or even let us use GNU Autoconf itself. Then we can avoid a lot of those platform checks which are currently in Configure. o Support for Shared Libraries has to be added at least for the major Unix platforms. The details we can rip from the stuff Ralf has done for the Apache src/Configure script. Ben wants the solution to be really simple. Status: Ralf will look how we can easily incorporate the compiler PIC and linker DSO flags from Apache into the OpenSSL Configure script. Ulf: +1 for using GNU autoconf and libtool (but not automake, which apparently is not flexible enough to generate libcrypto) o The perl/ stuff needs a major overhaul. Currently it's totally obsolete. Either we clean it up and enhance it to be up-to-date with the C code or we also could replace it with the really nice Net::SSLeay package we can find under http://www.neuronio.pt/SSLeay.pm.html. Ralf uses this package for a longer time and it works fine and is a nice Perl module. Best would be to convince the author to work for the OpenSSL project and create a Net::OpenSSL or Crypt::OpenSSL package out of it and maintains it for us. Status: Ralf thinks we should both contact the author of Net::SSLeay and look how much effort it is to bring Eric's perl/ stuff up to date. Paul +1 WISHES o SRP in TLS. [wished by: Dj [EMAIL PROTECTED], Tom Wu [EMAIL PROTECTED], Tom Holroyd [EMAIL PROTECTED]] See http://search.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt as well as http://www-cs-students.stanford.edu/~tjw/srp/. Tom Holroyd tells us there is a SRP patch for OpenSSH at
49 More People Needed By Tommorow Time:4:09:56 PM
Wanted: 49 More People To Earn Money From Home Our company is looking for a few individuals that are excited about earning real money from home. This is not a scam or an illegal pyramid program, but a real home business where we will train you to be SUCCESSFUL! Within just a couple weeks you could be earning as much, OR MORE than you are currently at your job. If you are self motivated, looking to improve your life and are willing to work hard for your own future, we want to hear from you RIGHT NOW! CLICK HERE NOW FOR DETAILS! * Limited to the first 49 individuals that contact me today. Don't miss out, click the link above right now! ~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~ To be removed from our mailing list Click Here. ~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]